nsplugin module files are not in /
by yiruli@ccsl.carleton.ca
nsplugin.pp is loaded in my machines.
But I can not find the three module files--nsplugin.if, nsplugin.te,
and nsplugin.fc?
Should not they be in the directory
/serefpolicy-3.3.1/policy/modules/apps of the src.rpm package?
thanks a lot.
Yiru
15 years, 7 months
where can I find source policy for Mozilla Browser (Firefox)
by yiruli@ccsl.carleton.ca
Hi,
Where can I find the source policy for Mozilla Firefox?
From the SELinux administration tool, I see that Mozilla module has
been loaded?
But I find the following through the command "ps -Z":
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:17:34 firefox
Can I say that the policy for Firefox in my machine is not enforced yet?
How can I make the policy be enforced?
What is the status of the policy writing for Firefox?
In one web article, Dan said that the policy writing for Firefox has
little success due to its variant behaviour.
I am a beginner of SELinux.
Thanks a lot.
Yiru
15 years, 7 months
Advice needed designing packages for selinux
by David Carter
Hey folks!
Here's some architectural background on my application. I have two
pieces: an agent and a library that links with an application. The
library communicates with the agent via semaphores, message queues,
and shared memory. The files corresponding to these IPC mechanisms had
been stored in /tmp. But here's the rub. The agent could run in root
space as a system wide agent, but also in user space as a development
and debugging tool. To facilitate this, each instance creates it's own
subdirectory to hold the IPC files. Since they'll need to clean this
up when they're done, I'd set the sticky bit on the directory.
So know, if I move the system queues to /var/lib as I should, I have
to have the sticky but set there, which is bad. Alternatively, if I
leave it in the /tmp directory, I don't see how I can set the ACL's
that selinux requires. The third option is to give any applications
requiring access permissions so broad as to defeat the purpose of
selinux. And the fourth is to disable selinux entirely, which is also
not good.
Advice?
TIA,
Dave
15 years, 7 months
was selinux-policy-devel merged into selinux-policy
by Murray McAllister
Hi,
Sorry for the silly question. On Fedora 9, "rpm -qf
/usr/share/selinux/devel/policygentool" says that it belongs to
selinux-policy-devel-3.3.1-87.fc9.
On rawhide, "rpm -qf /usr/share/selinux/devel/policygentool" says that
it belongs to selinux-policy-3.5.7-1.fc10.noarch.
When I try "yum install selinux-policy-devel", it says that
selinux-policy-3.5.7-1.fc10.noarch is already installed.
Was selinux-policy-devel merged into selinux-policy? (I looked in the
selinux-policy changelog but wasn't sure)
Thanks.
15 years, 7 months
sealert won't erase some entries
by John Griffiths
I need some guidance.
I have four entries that show up in sealert browser mode that will not
erase. I select them, delete them, and remove those that are marked
deleted and nothing happens. There are only four entries that do this.
The other log entires can be deleted just fine.
The four entries don't seem to cause any problems; they are just an
annoyance. Any help would be appreciated.
Thanks,
John
15 years, 7 months
restoring default selinux policy configuration
by Murray McAllister
Hi,
If I change a lot of booleans, or install a lot of custom policies, is
there any way to restore selinux policy (targeted) to its default
configuration?
Thanks.
15 years, 7 months
Backing up and restoring SELinux file contexts
by Frank Sweetser
I'm looking at helping to extend the Bacula backup system to handle SELinux
file contexts, and I wanted to make sure I'm going down the right path.
Now as I understand it, the context associated with a file on disk can be
retrieved via getfilecon, and set via setfilecon.
However, on disk, the context is stored as an extended attribute, which are
handled via getxattr and setxattr.
So my question is, is it practical to just use the *xattr functions to backup
and restore the file contexts, or do I need to perform an explicit check to
see if I'm running on an SELinux system and, if so, use the *filecon functions
instead? I'd prefer to use the *xattr functions if at all possible, since
that would simplify a lot of cases, such as restoring an SELinux system from a
non SELinux aware rescue disk, but want to make sure there aren't any gotchas
I'm missing.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
15 years, 7 months
question on new filecontext type and documentation issues
by Sebastian Hennebrueder
Hello,
thank you for the nice solution you provided with Selinux.
I have two issues:
1)
I use Centos 5.2 which clones Redhat Enterprise Linux. I use the
targeted policy.
Postfix and dovecot shares the certicates. I solved the problem in a
way that I copied the certificates and set the corresponding context.
I don't like this approach. Alternatively I can use the normal
audit2allow approach to allow postfix access to dovecot or vice versa
but I would like not to give them this right.
The best solution is to create a new context which can be accessed by
both domains.
With the new module approach, how do I start to write a new context
type? It is probably simple but I don't find the way to start by reading
the documentation on the net.
2)
I am actually a Java developer running my own Linux server, so I am far
away from being a Linux expert.
My feeling is that the documentation is really hard to follow.
It was hard to find out how to interpret the audit.log. The only
location to explain the different attributes seams to be
> http://seedit.sourceforge.net/doc/access_vectors/
> <javascript:void(0);/*1221395834258*/>
But still some documented log entries would be fine, e.g. what does a
socket connect require, what does a search for the config file in /etc
require, ...
I found the tip to use sealert -a on the
http://wiki.centos.org/HowTos/SELinux <javascript:void(0);/*1221395813896*/>
I found the statement do 'cat audit.log | audit2allow ...' but don't
trust the result somewhere. But well, if I shouldn't trust, I would
appreciate to analyse as well.
Your wiki does note
http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf
<javascript:void(0);/*1221395820244*/> which is a good resource after
having understood the basics
The next page told me about sesearch, which is a very important tool IMHO.
http://www.durchmesser.ch/wiki/SELinux
<javascript:void(0);/*1221395840703*/>
I still have no idea how to find information on the different macros
which where noted somewhere.
From my beginner point of view, I noted my steps and resources on my
blog at http://www.laliluna.de/blog/
To summarize, I would appreciate a somehow more centralized complete
documentation, much more oriented to practical use cases.
Best Regards
Sebastian
15 years, 7 months